Espionage is a time-honored tradition – after all, there have always been secrets for others to uncover. The advent of digital technology and the rise of the internet have opened intelligence efforts to new frontiers, and cyberwarfare is increasingly common. Hacking is a necessary weapon in the digital age, prompting governments to engage in an arms and talent race against their rivals for cyber supremacy.
A Reuters report issued in January details Project Raven – an operation in support of the ongoing cyberwar between the United Arab Emirates (UAE) and Saudi Arabia against Qatar. With assistance from US and Israeli cybersecurity experts and former government hackers, Project Raven targeted political opponents of the Emirati government, opposing governments, and alleged terrorists before moving into potentially serious legal territory for the Americans involved – spying on US citizens. The question of whether these attacks were carried out using classified US techniques has led to an FBI investigation – and closer scrutiny of US contractor relationships with foreign governments.
The Project Raven operation was carried out using contractors hired by CyberPoint, a Baltimore-based cybersecurity company that has worked with the US Department of Defense. Lori Stroud, the only contractor willing to go on the record for the Reuters report, was an ex-National Security Agency (NSA) employee – like many of the contractors involved. Stroud told Reuters that “she understood her new job would involve a counterterrorism mission in cooperation with the Emiratis, a close U.S. ally in the fight against ISIS, but little else.” She also claimed that “[Marc Baier, a former NSA colleague] and other Raven managers assured her the project was approved by the NSA.”
Stroud was “part of Raven’s analysis and target-development shop,” profiling, hacking, and collecting data on online targets. According to Stroud and additional ex-Raven operatives, these ranged from “militants in Yemen, foreign adversaries such as Iran, Qatar and Turkey, and individuals who criticized the monarchy.”
The Americans were responsible for logistical elements for the operation – assessing vulnerabilities in their targets, finding the right tools to use in surveillance, and monitoring the operations as they happened – with a key protection. Raven sources said that “an Emirati operative would usually press the button on an attack,” to give American operatives ‘plausible deniability.’
Soon the Americans involved discovered the operation was not limited to foreign governments and suspected terrorists – it was to include government critics, or so-called “national security targets.” Attacks on journalists and activists followed, some using a tool called Karma that allowed hackers to break into users’ iPhones.
Surveillance efforts began casting broader nets – and snaring Americans. This piqued the concern of the contractors with NSA experience, where “US law generally forbids the NSA, CIA and other US intelligence agencies from monitoring US citizens.” Stroud claimed that the contractors developed a policy in conjunction with managers to flag the material involving Americans for deletion, but “noticed American data flagged for removal show up again and again in Raven’s NESA-controlled data stores.”
By late 2015, UAE officials felt their surveillance program was ready to transition out from under foreign management and into the dominion of an Emirati company called DarkMatter. Foreign contractors were given the choice of leaving the operation or joining the DarkMatter team. Some left; the Americans who stayed were alarmed to find information being increasingly siloed away from American managers, sometimes under an ‘Emirate-eyes only’ designation.
Ex-Project Raven operatives have maintained that Baier had informed them at the onset that the program had the NSA’s blessing; according to Baier, the agency was receiving regular status updates along the way. But returning contractors found themselves under FBI scrutiny beginning in 2016. Agents were concerned, says the Reuters report, that the contractors “had…been asked to spy on Americans,” and that “classified information on U.S. intelligence collection techniques and technologies” may have ended up in the UAE’s possession.
Stroud initially rebuffed FBI inquiries in 2016, but says she had a change of heart in 2017 after noticing “a passport page of an American was in the system.” Supervisors assured her it was a mistake, but after using her access privileges to dig deeper, Stroud found additional American targets – all journalists. She relayed her concerns to Baier, who “attempted to downplay the concern and asked her to drop the issue…but he also indicated that any targeting of Americans was supposed to be done by Raven’s Emirate staff,” – an account Reuters reported was “confirmed by four other former employees and emails reviewed by Reuters.” She was eventually placed on leave and had her passport seized, before being allowed to return to the US after two months.
Was All of This Illegal?
Sharing information on intelligence techniques is not unprecedented. Doing so legally, however, requires securing licenses from the US State and Commerce Departments. While neither agency was willing to comment on specifics, Reuters reported that there was a 2014 agreement between CyberPoint and the State Department outlining details of the working arrangement. The agreement “clearly forbade” the contractors from surveilling Americans, as well as prohibited “sharing classified U.S. information, controlled military technology, or the intelligence collection methods of U.S. agencies.”
According to Robert Chesney, the Charles I. Francis Professor in Law at the University of Texas, the current legal provisions are a variation on “[allowing] such service only where there has been some degree of vetting on the front end, and some degree of ongoing monitoring on the back end,” and may be inadequate in our increasingly connected world. The nuances of the Project Raven saga – management transitioning from CyberPoint (and their license) to DarkMatter, for example – could be interpreted to absolve CyberPoint of any conduct-related issues after the transition.
But Chesney posits that US citizens who remained involved in the operation after the transition create “a possible enforcement gap in the licensing scheme.” That gap, and Project Raven as a whole, are marked by ambiguity. Chesney interprets the Reuters story to mean that Americans were not actively surveilling other Americans on the UAE’s behalf, but there is no question that “serious legal jeopardy” would result if that wasn’t the case – including possible invocation of “the Wiretap Act…and the Computer Fraud and Abuse Act.” Is more advance screening in order? More monitoring during operations? A blanket ban on espionage-centric US contractor relationships with foreign countries? There are no clear answers, but in our interconnected modern world, the questions are not going away.